umbral | 07e10c35d0ba5cdb655370b4be54924e4c5a291cc5130ac35fcc1701b342cc39

Resubmissions

09-10-2024 15:26

241009-sveplssdjh 10

Analysis

max time kernel
107s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BanDPI.exe
Size

229KB
MD5

b480a45c37b268cc917a54cdefea620c
SHA1

e68857ab8b0d589056bbc571d9e95ebee78b198a
SHA256

07e10c35d0ba5cdb655370b4be54924e4c5a291cc5130ac35fcc1701b342cc39
SHA512

f68afd7bf02052bbb0b3589b4963eda82e3412ed3695c9834dc7400a5b6e658b26c3c5bcb18cbb0f4eab360bcb9d4412a2cdd3e7c1f5f84010bf7f978359f3a8
SSDEEP

6144:9loZM+rIkd8g+EtXHkv/iD4Ua88vFuW5l8VHCCHfHb8e1m5Qi:foZtL+EP8Ua88vFuW5l8VHCCH7c

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2900-1-0x000001E1F4410000-0x000001E1F4450000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1708	Process not Found
1228	Process not Found
1816	Process not Found
3188	Process not Found
4520	Process not Found
1904	Process not Found
4404	Process not Found
4412	Process not Found
4456	Process not Found
1016	Process not Found
2260	Process not Found
3596	Process not Found
2284	Process not Found
4264	Process not Found
4824	Process not Found
4660	Process not Found
3848	Process not Found
3992	Process not Found
2432	Process not Found
4552	Process not Found
448	Process not Found
4848	Process not Found
4452	Process not Found
4772	Process not Found
2504	Process not Found
4372	Process not Found
628	Process not Found
2332	Process not Found
3500	Process not Found
2920	Process not Found
3948	Process not Found
3548	Process not Found
3732	Process not Found
964	Process not Found
4840	Process not Found
1336	Process not Found
2900	Process not Found
452	Process not Found
3640	Process not Found
4188	Process not Found
1224	Process not Found
1632	Process not Found
3652	Process not Found
4536	Process not Found
1132	Process not Found
2128	Process not Found
408	Process not Found
3764	Process not Found
644	Process not Found
8	Process not Found
2904	Process not Found
4724	Process not Found
3648	Process not Found
4864	Process not Found
2552	Process not Found
2036	Process not Found
1736	Process not Found
920	Process not Found
5016	Process not Found
656	Process not Found
2660	Process not Found
2948	Process not Found
4996	Process not Found
1680	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	BanDPI.exe
Token: SeIncreaseQuotaPrivilege	4372	wmic.exe
Token: SeSecurityPrivilege	4372	wmic.exe
Token: SeTakeOwnershipPrivilege	4372	wmic.exe
Token: SeLoadDriverPrivilege	4372	wmic.exe
Token: SeSystemProfilePrivilege	4372	wmic.exe
Token: SeSystemtimePrivilege	4372	wmic.exe
Token: SeProfSingleProcessPrivilege	4372	wmic.exe
Token: SeIncBasePriorityPrivilege	4372	wmic.exe
Token: SeCreatePagefilePrivilege	4372	wmic.exe
Token: SeBackupPrivilege	4372	wmic.exe
Token: SeRestorePrivilege	4372	wmic.exe
Token: SeShutdownPrivilege	4372	wmic.exe
Token: SeDebugPrivilege	4372	wmic.exe
Token: SeSystemEnvironmentPrivilege	4372	wmic.exe
Token: SeRemoteShutdownPrivilege	4372	wmic.exe
Token: SeUndockPrivilege	4372	wmic.exe
Token: SeManageVolumePrivilege	4372	wmic.exe
Token: 33	4372	wmic.exe
Token: 34	4372	wmic.exe
Token: 35	4372	wmic.exe
Token: 36	4372	wmic.exe
Token: SeIncreaseQuotaPrivilege	4372	wmic.exe
Token: SeSecurityPrivilege	4372	wmic.exe
Token: SeTakeOwnershipPrivilege	4372	wmic.exe
Token: SeLoadDriverPrivilege	4372	wmic.exe
Token: SeSystemProfilePrivilege	4372	wmic.exe
Token: SeSystemtimePrivilege	4372	wmic.exe
Token: SeProfSingleProcessPrivilege	4372	wmic.exe
Token: SeIncBasePriorityPrivilege	4372	wmic.exe
Token: SeCreatePagefilePrivilege	4372	wmic.exe
Token: SeBackupPrivilege	4372	wmic.exe
Token: SeRestorePrivilege	4372	wmic.exe
Token: SeShutdownPrivilege	4372	wmic.exe
Token: SeDebugPrivilege	4372	wmic.exe
Token: SeSystemEnvironmentPrivilege	4372	wmic.exe
Token: SeRemoteShutdownPrivilege	4372	wmic.exe
Token: SeUndockPrivilege	4372	wmic.exe
Token: SeManageVolumePrivilege	4372	wmic.exe
Token: 33	4372	wmic.exe
Token: 34	4372	wmic.exe
Token: 35	4372	wmic.exe
Token: 36	4372	wmic.exe
Token: SeDebugPrivilege	3752	taskmgr.exe
Token: SeSystemProfilePrivilege	3752	taskmgr.exe
Token: SeCreateGlobalPrivilege	3752	taskmgr.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4372	2900	BanDPI.exe	83
PID 2900 wrote to memory of 4372	2900	BanDPI.exe	83

C:\Users\Admin\AppData\Local\Temp\BanDPI.exe
"C:\Users\Admin\AppData\Local\Temp\BanDPI.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3752

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3084

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4932

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3304

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-1-0x000001E1F4410000-0x000001E1F4450000-memory.dmp

Filesize
256KB

Download
memory/2900-0-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

Filesize
8KB

Download
memory/2900-2-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/2900-4-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/3752-5-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-7-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-6-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-17-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-16-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-15-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-14-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-13-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-12-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download
memory/3752-11-0x000001D4B9B00000-0x000001D4B9B01000-memory.dmp

Filesize
4KB

Download